first commit

2025-11-13 23:47:20 +08:00
commit 900b9ca1f3
83 changed files with 8704 additions and 0 deletions
--- a/templates/apiportal/apiportal-db-secret.yaml
+++ b/templates/apiportal/apiportal-db-secret.yaml
@@ -0,0 +1,12 @@
+{{- if and .Values.apiportal.enabled .Values.apiportal.mysql.enabled (not .Values.apiportal.mysql.existingSecret) -}}
+apiVersion: v1
+data:
+  username: {{ .Values.apiportal.mysql.username | b64enc }}
+  password: {{ .Values.apiportal.mysql.password | b64enc }}
+kind: Secret
+metadata:
+  name: {{ include "gateway.apiportal.secretName" . }}
+  labels:
+    {{- include "gateway.labels" . | nindent 4 }}
+    app.kubernetes.io/component: apiportal
+{{- end }}
--- a/templates/apiportal/apiportal-deployment.yaml
+++ b/templates/apiportal/apiportal-deployment.yaml
@@ -0,0 +1,173 @@
+{{- if .Values.apiportal.enabled -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: "{{ include "gateway.fullname" . }}-apiportal"
+  labels:
+    {{- include "gateway.labels" . | nindent 4 }}
+    app.kubernetes.io/component: apiportal
+spec:
+  replicas: {{ .Values.apiportal.replicaCount }}
+  strategy:
+    {{- if eq (default .Values.global.updateStrategy.type .Values.apiportal.updateStrategy.type) "RollingUpdate" }}
+    rollingUpdate:
+      maxSurge: {{ default .Values.global.updateStrategy.rollingUpdate.maxSurge .Values.apiportal.updateStrategy.rollingUpdate.maxSurge }}
+      maxUnavailable: {{ default .Values.global.updateStrategy.rollingUpdate.maxUnavailable .Values.apiportal.updateStrategy.rollingUpdate.maxUnavailable }}
+    {{- end }}
+    type: {{ default .Values.global.updateStrategy.type .Values.apiportal.updateStrategy.type }}
+  selector:
+    matchLabels:
+      {{- include "gateway.selectorLabels" . | nindent 6 }}
+      app.kubernetes.io/component: apiportal
+      {{- with .Values.apiportal.podLabels }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+  template:
+    metadata:
+      {{- with .Values.apiportal.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "gateway.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: apiportal
+        {{- with .Values.apiportal.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "gateway.apiportal.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.apiportal.podSecurityContext | nindent 8 }}
+      containers:
+        - name: "{{ include "gateway.fullname" . }}-apiportal"
+          securityContext:
+            {{- toYaml .Values.apiportal.securityContext | nindent 12 }}
+          command: ["/usr/local/bin/entrypoint.sh", "apiportal"]
+          {{- with .Values.apiportal.livenessProbe }}
+          livenessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.apiportal.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          resources:
+            {{- toYaml .Values.apiportal.resources | nindent 12 }}
+          env:
+            # Same mysql database has been used for both metrics and apiportal
+            {{- if .Values.apiportal.mysql.enabled }}
+            - name: MYSQL_HOST
+              value: {{ tpl .Values.global.database.host . | quote }}
+            - name: MYSQL_PORT
+              value: {{ .Values.global.database.port  | quote }}
+            - name: MYSQL_USER
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "gateway.apiportal.secretName" . }}
+                  key: {{ with .Values.apiportal.mysql.existingSecret.keyMapping }}{{- default "username" .username }}{{- else -}}"username"{{- end }}
+            - name: MYSQL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "gateway.apiportal.secretName" . }}
+                  key: {{ with .Values.apiportal.mysql.existingSecret.keyMapping }}{{- default "password" .password }}{{- else -}}"password"{{- end }}
+            - name: MYSQL_DATABASE
+              value: {{ .Values.apiportal.mysql.databaseName | quote }}
+            - name: MYSQL_SSL_ON
+              value: {{ .Values.apiportal.mysql.sslOn | quote }}
+            - name: MYSQL_SSL_VERIFY_CERT
+              value: {{ .Values.apiportal.mysql.sslVerifyCert | quote }}
+            {{- end }}
+            {{- if .Values.apiportal.redis.enabled }}
+            - name: REDIS_CONFIGURED
+              value: "1"
+            - name: REDIS_ON
+              value: "1"
+            - name: REDIS_HOST
+              value: {{ required "A redis host should be specified" .Values.apiportal.redis.host | quote }}
+            - name: REDIS_PORT
+              value: {{ default "6379" .Values.apiportal.redis.port | quote }}
+            - name: REDIS_CACHE_TIMEOUT_SEC
+              value: {{ default "600" .Values.apiportal.redis.cacheTimeout | quote }}
+            {{- end }}
+            - name: APACHE_SSL_ON
+              value: {{ .Values.apiportal.apache.sslOn | quote }}
+            - name: APIMANAGER_CONFIGURED
+              value: {{ default "1" .Values.apiportal.apiManager.configured | quote }}
+            - name: API_WHITELIST_CONFIGURED
+              value: "1"
+            - name: API_WHITELIST
+              value: "apitraffic.{{ .Values.global.domainName }}"
+            - name: APIMANAGER_NAME
+              value: {{ .Values.apiportal.apiManager.name | quote }}
+            - name: APIMANAGER_HOST
+              value: "{{ include "gateway.fullname" . }}-apimgr"
+            - name: APIMANAGER_PORT
+              value: {{ .Values.apimgr.service.ports.ui.port | quote }}
+            - name: HTTP_PORT
+              value: {{ .Values.apiportal.service.ports.http.port | quote }}
+            - name: HTTPS_PORT
+              value: {{ .Values.apiportal.service.ports.https.port | quote }}
+            - name: HTTPS_FORCE_PORT
+              value: {{ .Values.apiportal.service.ports.force.port | quote }}
+            - name: T4_DOWNLOADED
+              value: {{ .Values.apiportal.t4_downloaded | quote }}
+            {{- if .Values.apiportal.extraEnvVars }}
+            {{- toYaml .Values.apiportal.extraEnvVars | nindent 12 }}
+            {{- end }}
+          image: "{{ default .Values.global.defaultRegistry .Values.apiportal.image.registry }}/{{ .Values.apiportal.image.repository }}:{{ .Values.apiportal.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+          ports:
+            - name: "apiportal"
+              containerPort: {{ .Values.apiportal.service.ports.force.port }}
+              protocol: TCP
+          volumeMounts:
+            {{- $mounts := list }}
+            {{- if .Values.apiportal.mysql.sslOn }}
+              {{- $mounts = append $mounts (dict "name" "mysql-certs" "mountPath" "/opt/axway/apiportal/certs/mysql/mysql-ca.pem" "subPath" "mysql-ca.pem") }}
+            {{- end }}
+            {{- if .Values.apiportal.apache.sslOn }}
+              {{- $mounts = append $mounts (dict "name" "apache" "mountPath" "/opt/axway/apiportal/certs/apache/") }}
+            {{- end }}
+            {{- include "gateway.volumeMounts" (dict "component" "portal" "storage" (dict "volumes" (.Values.global.storage.volumes | concat .Values.apiportal.storage.volumes))) | fromYamlArray | concat $mounts | default list | toYaml | nindent 12 }}
+      initContainers:
+      - name: init-mysql
+        image: {{ .Values.global.initContainers.image | quote }}
+        command: [ 'sh', '-c', 'until nc -w 3 -v {{ tpl .Values.global.database.host . }} {{ .Values.global.database.port }}; do echo waiting for MySQL; sleep 2; done;' ]
+        {{- with .Values.global.initContainers.resources }}
+        resources:
+          {{- toYaml . | nindent 12 }}
+        {{- end }}
+        {{- with .Values.global.initContainers.securityContext }}
+        securityContext:
+          {{- toYaml . | nindent 12 }}
+        {{- end }}
+      {{- if .Values.apiportal.apiManager.configured }}
+      - name: init-apimanager
+        image: {{ .Values.global.initContainers.image | quote }}
+        command: [ 'sh', '-c', 'until nc -w 3 -v  {{ include "gateway.fullname" . }}-apimgr 8075; do echo waiting for API Manager; sleep 2; done;' ]
+        {{- with .Values.global.initContainers.resources }}
+        resources:
+          {{- toYaml . | nindent 12 }}
+        {{- end }}
+        {{- with .Values.global.initContainers.securityContext }}
+        securityContext:
+          {{- toYaml . | nindent 12 }}
+        {{- end }}
+      {{- end }}
+      {{- with .Values.apiportal.extraInitContainers }}
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        {{- $vols := list }}
+        {{- if .Values.apiportal.mysql.sslOn }}
+          {{- $vols = append $vols (dict "name" "mysql-certs" "secret" (dict "secretName" "mysql-ca-cert" "items" (list (dict "key" "mysql-ca.pem" "path" "mysql-ca.pem")))) }}
+        {{- end }}
+        {{- if .Values.apiportal.apache.sslOn }}
+          {{- $vols = append $vols (dict "name" "apache" "secret" (dict "secretName" "apache" "items" (list (dict "key" "tls.key" "path" "apache.key") (dict "key" "tls.crt" "path" "apache.crt")))) }}
+        {{- end }}
+        {{- include "gateway.volumes" (dict "component" "portal" "storage" (dict "volumes" (.Values.global.storage.volumes | concat .Values.apiportal.storage.volumes))) | fromYamlArray | concat $vols | default list | toYaml | nindent 8 }}
+{{- end }}
--- a/templates/apiportal/apiportal-ingress.yaml
+++ b/templates/apiportal/apiportal-ingress.yaml
@@ -0,0 +1,47 @@
+{{- if and .Values.apiportal.enabled .Values.apiportal.ingress.enabled -}}
+{{- $fullName := include "gateway.fullname" . -}}
+{{- $svcPort := .Values.apiportal.service.ports.target.port }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}-apiportal
+  labels:
+    {{- include "gateway.labels" . | nindent 4 }}
+  {{- with .Values.apiportal.ingress.annotations }}
+  annotations:
+    {{- tpl (toYaml .) $ | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.apiportal.ingress.className }}
+  ingressClassName: {{ .Values.apiportal.ingress.className }}
+  {{- end }}
+  {{- if .Values.apiportal.ingress.tls }}
+  tls:
+    {{- range .Values.apiportal.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ tpl . $ | quote }}
+        {{- end }}
+      {{- if .secretName }}
+      secretName: {{ tpl (.secretName) $ }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.apiportal.ingress.hosts }}
+    - host: {{ tpl .host $ | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- if .pathType }}
+            pathType: {{ .pathType }}
+            {{- end }}
+            backend:
+              service:
+                name: {{ $fullName }}-apiportal
+                port:
+                  number: {{ $svcPort }}
+          {{- end }}
+    {{- end }}
+{{- end }}
--- a/templates/apiportal/apiportal-rbac.yaml
+++ b/templates/apiportal/apiportal-rbac.yaml
@@ -0,0 +1,37 @@
+{{- if .Values.apiportal.enabled -}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: apiportalscc
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "gateway.labels" . | nindent 4 }}
+    app.kubernetes.io/component: apiportal
+rules:
+- apiGroups:
+  - security.openshift.io
+  resourceNames:
+  - nonroot
+  resources:
+  - securitycontextconstraints
+  verbs:
+  - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: apiportalscc
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "gateway.labels" . | nindent 4 }}
+    app.kubernetes.io/component: apiportal
+subjects:
+- kind: ServiceAccount
+  name: {{ include "gateway.apiportal.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+roleRef:
+  kind: Role
+  name: apiportalscc
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
--- a/templates/apiportal/apiportal-routes.yaml
+++ b/templates/apiportal/apiportal-routes.yaml
@@ -0,0 +1,40 @@
+{{- if and .Values.apiportal.enabled .Values.apiportal.route.enabled -}}
+kind: Route
+apiVersion: route.openshift.io/v1
+metadata:
+  name: "{{ include "gateway.fullname" . }}-apiportal"
+  labels:
+    {{- include "gateway.labels" . | nindent 4 }}
+    app.kubernetes.io/component: apiportal
+spec:
+  to:
+    kind: Service
+    name: {{ include "gateway.fullname" . }}-apiportal
+  {{- if .Values.global.domainName }}
+  host: apiportal.{{ .Values.global.domainName }}
+  {{- end }}
+  port:
+    targetPort: {{ tpl .Values.apiportal.route.targetPort . }}
+{{- if .Values.apiportal.route.tls.enabled }}
+  tls:
+    termination: {{ .Values.apiportal.route.tls.termination }}
+    insecureEdgeTerminationPolicy: {{ .Values.apiportal.route.tls.insecureEdgeTerminationPolicy }}
+  {{- if .Values.apiportal.route.tls.key }}
+    key: |-
+      {{- .Values.apiportal.route.tls.key | nindent 6 }}
+  {{- end }}
+  {{- if .Values.apiportal.route.tls.destinationCACertificate }}
+    destinationCACertificate: |-
+      {{- .Values.apiportal.route.tls.destinationCACertificate | nindent 6 }}
+  {{- end }}
+  {{- if .Values.apiportal.route.tls.caCertificate }}
+    caCertificate: |-
+      {{- .Values.apiportal.route.tls.caCertificate | nindent 6 }}
+  {{- end }}
+  {{- if .Values.apiportal.route.tls.certificate }}
+    certificate: |-
+      {{- .Values.apiportal.route.tls.certificate | nindent 6 }}
+  {{- end }}
+{{- end }}
+  wildcardPolicy: None
+{{- end }}
--- a/templates/apiportal/apiportal-service.yaml
+++ b/templates/apiportal/apiportal-service.yaml
@@ -0,0 +1,24 @@
+{{- if .Values.apiportal.enabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "gateway.fullname" . }}-apiportal
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "gateway.labels" . | nindent 4 }}
+    app.kubernetes.io/component: apiportal
+spec:
+  type: ClusterIP
+  ports:
+  - port: {{ .Values.apiportal.service.ports.http.port }}
+    targetPort: {{ .Values.apiportal.service.ports.http.port }}
+    protocol: TCP
+    name: {{ include "gateway.fullname" . }}-apiportal-http
+  - port: {{ .Values.apiportal.service.ports.https.port }}
+    targetPort: {{ .Values.apiportal.service.ports.https.port }}
+    protocol: TCP
+    name: {{ include "gateway.fullname" . }}-apiportal-https
+  selector:
+    {{- include "gateway.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/component: apiportal
+{{- end }}
--- a/templates/apiportal/apiportal-serviceaccount.yaml
+++ b/templates/apiportal/apiportal-serviceaccount.yaml
@@ -0,0 +1,13 @@
+{{- if and .Values.apiportal.enabled .Values.apiportal.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "gateway.apiportal.serviceAccountName" . }}
+  labels:
+    {{- include "gateway.labels" . | nindent 4 }}
+    app.kubernetes.io/component: apiportal
+  {{- with .Values.apiportal.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
--- a/templates/apiportal/storage/apiportal-pvc.yaml
+++ b/templates/apiportal/storage/apiportal-pvc.yaml
@@ -0,0 +1,53 @@
+{{- if .Values.apiportal.enabled }}
+{{- range .Values.apiportal.storage.volumes }}
+{{- if .enabled }}
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ .name | lower }}
+  labels:
+    {{- include "gateway.labels" $ | nindent 4 }}
+    app.kubernetes.io/component: apiportal
+spec:
+  accessModes:
+    {{- with .accessModes }}
+    {{- toYaml . | nindent 4 }}
+    {{- else }}
+    - ReadWriteMany
+    {{- end }}
+  storageClassName: {{ default $.Values.global.storage.storageClassName .storageClassName | quote }}
+  resources:
+    requests:
+      storage: {{ default "1Mi" .capacity | quote }}
+{{- if eq (default $.Values.global.storage.provisioningType $.Values.apiportal.storage.provisioningType) "static" }}
+# PersistentVolume needs to be created only for Static storage provisioning
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: {{ include "gateway.fullname" $ }}-{{ .name | lower }}
+  labels:
+    {{- include "gateway.labels" $ | nindent 4 }}
+    app.kubernetes.io/component: apiportal
+spec:
+  capacity:
+    storage: {{ .capacity | quote }}
+  volumeMode: Filesystem
+  accessModes:
+    {{- with .accessModes }}
+    {{- toYaml . | nindent 4 }}
+    {{- else }}
+    - ReadWriteMany
+    {{- end }}
+  persistentVolumeReclaimPolicy: {{ .persistentVolume.reclaimPolicy | quote }}
+  csi:
+    driver: {{ .persistentVolume.csiDriver }}
+    volumeHandle: {{ .persistentVolume.volumeHandle }}
+  claimRef:
+    name: {{ .name | lower }}
+    namespace: {{ $.Release.Namespace | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
--- a/templates/apiportal/storage/storage-class.yaml
+++ b/templates/apiportal/storage/storage-class.yaml
@@ -0,0 +1,26 @@
+{{ if .Values.apiportal.enabled }}
+{{- range .Values.apiportal.storage.classes }}
+---
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+  name: {{ .name | lower }}
+  labels:
+    {{- include "gateway.labels" $ | nindent 4 }}
+provisioner: {{ .provisioner | quote }}
+{{- with .allowVolumeExpansion }}
+allowVolumeExpansion: {{ . }}
+{{- end }}
+{{- with .parameters }}
+parameters:  {{- tpl (toYaml .) $ | nindent 2 }}
+{{- end }}
+{{- with .mountOptions }}
+mountOptions: {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- if eq (default $.Values.global.storage.provisioningType $.Values.apiportal.storage.provisioningType) "dynamic" }}
+volumeBindingMode: WaitForFirstConsumer
+{{- else }}
+volumeBindingMode: Immediate
+{{- end }}
+{{- end }}
+{{- end }}